Feedback from OSSF: Can we discuss reconsidering a feature like PR 298

[kerberosmansour]

Story:
As a security team, we want discovery tools which can identify the software running on an end point/workload (container/VM/Physical system etc..), and map the software version with impacted CVEs. In order to do that we would like orgs/vendor the ability/option to be able to embeds Unique Software identifiers such as CPEs or PURL in the binary/package.

There has been a PR already raised before and is being discussed in the Linux Foundation's OSSF Vulnerability disclosure working group. #298

If you are interested, please visit the working group to discuss as we can help the project as well: https://github.com/ossf/wg-vulnerability-disclosures

[jeremylong]

@kerberosmansour I think you misunderstand my objection to #298. It is not that the idea doesn't have merit - it is that building a format in a scanning tool and requesting the world use the format is the wrong approach. Instead, we need to work with the build and packaging tools to start generating an SBOM and embedding it as a standard part of the build output. See ossf/wg-vulnerability-disclosures#76 (comment).

I would be fine including a scanner for an SBOM format - if it were actually used and commonly available on more than a small handful of products. The issue is I have yet to see an SBOM format being widely used.